Hospital Explains its Breach Decisions
Lincoln Medical and Mental Health Center in Bronx, N.Y., recently notified 130,495 patients of a breach of their protected health information after seven CDs a business associate FedEx’d were lost (see story). In a statement to Health Data Management, the hospital, part of NYC Health and Hospitals Corp., explains why the data was not encrypted and free identity and credit protection services were not offered to affected patients:
Lincoln Medical and Mental Health Center in Bronx, N.Y., recently notified 130,495 patients of a breach of their protected health information after seven CDs a business associate FedEx'd were lost (see story). In a statement to Health Data Management, the hospital, part of NYC Health and Hospitals Corp., explains why the data was not encrypted and free identity and credit protection services were not offered to affected patients:
"Under the HIPAA security regulations, encryption is not a legal requirement but a suggested 'addressable' method of safeguarding electronic protected health information. Nevertheless, the Siemens CDs had been safeguarded using password protection. Moreover, in the very unlikely event that an unauthorized user managed to crack or bypass the password, that individual would need to know how to access and utilize Siemens' proprietary software in order to view the information.
"After discussions with security experts and investigations that provided no evidence that information has been improperly accessed by any person or entity, HHC has determined that given the specific facts of this case, and the reduced level of risk and potential exposure, low-cost or free credit and protection services would be just as effective in monitoring possible identity theft as commercially available security monitoring."
--Joseph Goedert
"Under the HIPAA security regulations, encryption is not a legal requirement but a suggested 'addressable' method of safeguarding electronic protected health information. Nevertheless, the Siemens CDs had been safeguarded using password protection. Moreover, in the very unlikely event that an unauthorized user managed to crack or bypass the password, that individual would need to know how to access and utilize Siemens' proprietary software in order to view the information.
"After discussions with security experts and investigations that provided no evidence that information has been improperly accessed by any person or entity, HHC has determined that given the specific facts of this case, and the reduced level of risk and potential exposure, low-cost or free credit and protection services would be just as effective in monitoring possible identity theft as commercially available security monitoring."
--Joseph Goedert
More for you
Loading data for hdm_tax_topic #reducing-cost...